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OPERATIONAL SECURITY 

The Short Version 



































If you want to lose a fight, talk about it first 


Quellcrist Falconer 



DENIAL & DECEPTION 




DENIAL 

Prevent the adversary from gaining useful information 





DECEPTION 

Feed the adversary false information 









Cover 


• Cover for action 

• Cover for status 
Concealment 


Compartmentation 



“People must communicate.They will make mistakes 

and we will exploit them.” 

-James Clapper, Director of National Intelligence 




PHONES SUCK 












“The greatest material curse to the profession, despite 
all its advantages, is undoubtedly the telephone.” 

-Allen Dulles, 

Former Director of Central Intelligence 



NO MOBILE ANONYMITY 



MOBILE IDENTIFIERS 



LOCATION 


Specific location, e.g. home, work, etc. 

Mobility pattern, from home, via commute, to 
work 

Mirroring, two (or more) devices traveling 
together 



NETWORK 


• Numbers dialed, (who you call) 

• Calls received, (who calls you) 

• Calling pattern, (number dialed, for how Ion 
when, how frequently) 




PHYSICAL 


IMEI, mobile device ID (the serial number) 

IMSI, mobile subscriber ID (the phone number) 



CONTENT 


Identifiers, e.g. names, locations 
Voice fingerprinting 
Keywords 



SMARTPHONES 

• Ad network analytics 

• GPS 

• Apps scrape and upload content 

• Mothership pings 

• Android ID 

• MAC address 




SMARTPHONES CONT 


• IP address 

• WiFi beacons 

• Cameras 

• Gait analysis (via sensors) 





PHOENIX 


SUSPICIOUS FLASHLIGHT 


3RD AVE. A JEFFERSON 


THREAT MODEL 









LOCAL SECURITY FORCES 









Reporters are searched and interrogated 
AJ reporters arrested for “spy equipment 

• Mobile 3G access point 

• Militia members thought it looked 
“suspicious” 



NOT NSA 





USERS 











SECURITY IS HARD WORK 



SECURJTYTAKES DISCIPLINE 



USERS ARE LAZY 



so are we 




EASY TO USE 






SECURE BY DEFAULT 
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REASONABLY SECURE 









BURNER PHONES 


















WHAT ARETHEY GOOD FOR? 

• Threat actors without nation state level capabilities 

• Your mom 

• Building a non-operational legend 

• Flesh out a persona that doesn’t need 
protection 
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DEFINITELY NOT NSA 





BURNER GUIDELINES 

• Dumber the better 

• Learn to disable completely (battery + SIM out) 

• Disable around locations linked to you (home!) 

• Never put in real information 

• Feel free to load with fake data 

https://b3rn3d.herokuapp.com/bioq/2614/61/22/burner-phone-best-practices/ 




BURNER GUIDELINES, CONT 

• Call non-operational numbers to chaff the analysis 

• Keep it short 

• Keep it simple 

• Get rid of it as soon as possible 



BURNER GUIDE CONT 


Purchase using cash from smaller stores 
Time delay before activation (months) 


Dispose of with extreme prejudice 



CLANDESTINE CALLS 










“Never dial [the] number before having thought about 
your conversation. Do not improvise even the dummy 
part of it. But do not be too elaborate.The great 

rule...is to be natural.’’ 

-Allen Dulles 



Keep it short, simple and natural 
Prefer signalling over operational data 
• signalling > open codes > plain talk 


Enter your conversation with a plan 



“Even if you do not use [the phone] carelessly 
yourself, the other fellow, very often will, so in any 

case, warn him.” 

-Allen Dulles, Former Director of Central Intelligence 




FORTRESS PHONE 












NSA GUIDELINES 


Two forms of encryption 

• Belts and braces 
Data at rest 

• FDE + app encryption 
Data in motion 


• VPN + app encryption 



YOU CANNOT HAVE A 
SECURE ANDROID PHONE 



BECAUSE IT IS A PHONE 



BECAUSE IT IS ANDROID 




























YOU CANT BOLT ON SECURITY 

Android cannot be secured by adding apps 










BUT WHAT IF 

No. Seriously, just no. 






• Blackphone 

• For people with money 

• Samsung KNOX 

• For people who don’t want a secure phone 



• GuardianROM 

• For people who like to reboot 

• CryptogenMod* 

• For DIY hackers 

* name subject to change 




IS IT NSA-PROOF? 































CRYPTOGENMOD 

Hardened Android ROM 








FEATURES 


Lots of crypto 

Robust against physical access 
Resilient against network attacks 


Impact containment 



Derived from CyanogenMod I 
Stripped down (no browser; no analyti 
Advanced privacy patches 
• OpenPDroid + PDroid Manager 


Secure application replacements 




• A lot more work to be done here 
Hardened userland 


A lot more work to be done here 




PROTECTION 





Local physical access 
Remote hacking 
Baseband hacking 
Network monitoring 


GSM monitorin 



PHYSICAL 

• Forensic analysis 

• Encryption 

• Security Ratchet 



REMOTE 


Reduce attack surface dramatically 
• No browser; services, or email 


No app store 



BASEBAND 


Nothing I can do 


• Except PORTAL 


But it’s not the end of the world 


BB exploits are finicky 


BB design is everything (segmentation FTW) 





NETWORK MONITORING 


VPN direct to a secure backend 
Limited information is exposed 


Provides dual layer encryption 
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The location of 
ou< Bat Cave 
is meant to 
be secret, so 

STOP 

CHECKING IN! 
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AGENT-X COMICS « 


WWW AGENT-X.COM AU 


OPSEC STILL CRITICAL 

Secure phones can’t cure stupid. 



















DARKMATTER 

ThisApp Kills Forensic Analysis 









SECURE APP CONTAINERS + 
SECURE OPERATIONAL ENV 



CRYPTED APP CONTAINERS 



MOBILETRUECRYPT 

• Runs apps within TrueCrypt containers 

• Automagically kills sensitive apps, then 

• mount -o bind ... /data/data/$app 



MOBILETRUECRYPT 


tc-pl ay https://github.com/bwalex/tc-play 
Uses theTrueCrypt volume format 
• Supports outer and hidden volumes 
Backend is dm-crypt not FUSE 





MOBILETRUECRYPT 


Why not use native /data encryption? 

• AES-256-XTS > RES-128-CBC 


• Use both 



WIN STATES 



CLOSED CRYPTED 
CONTAINERS 



SHUTDOWN/REBOOT 

COUNTS 




HOW DO WE GETTHERE? 
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EVENT BASED HARDENING 







CHANGE SECURITY POSTURE 
BASED ON OBSERVATIONS OFTHE 
OPERATIONAL ENVIRONMENT 



Observe the operational environment 

• Monitor for Securi tyEvents 

Harden the security posture 

• Trigger Securi tyReti ons 



INDICATORS OF A NEGATIVE 
OPERATIONAL ENVIRONMENT 



Failed login 


Tinner 

Temperature drop 
Radio silence 
Debugger attach 
Receive alert 


SIM removed 



HARDEN SECURITY POSTURE 



Kill sensitive applications 
Unmount file systems 
Wipe files 
Wipe ram 


Reboot phone 



DURESS CODES 


Explicit duress codes don’t work 

• “of these two codes, only use this one when 
you’re under extreme stress, ps don’t forget” 

• “if you use the wrong code, you are severely 
punished” 
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EMERGENCY CALL 








Cryptogen Mod 
DarkMatter 









http://github.com/grugq/darkmatter 





RAISE 

NSA 

PRICE 2 PWN* 


* probably 









THEY’LL ADAPT 









C www.reuters.com /article/2014/03/2 8/ us-media-cybercrime-idUSBREA2R0EU201403 2 8 

Journalists, media under attack from 
hackers: Google researchers 
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ALJAZEERA 


THANKS! 







QUESTIONS? 
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THANKYOU 
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the.grugq@gmail.com 








